THE LIFE OF A WEB THE LIFE OF A WEB BUGBUG

TODAYS AGENDATODAYS AGENDA • WHAT IS A WEB BUG ?WHAT IS A WEB BUG ?

• HOW THEY WORKHOW THEY WORK

• USES OF WEB BUGSUSES OF WEB BUGS

• EMAIL WEB BUGSEMAIL WEB BUGS

• HOW THEY WORKHOW THEY WORK

• WHEN GOOD BUGS GO BADWHEN GOOD BUGS GO BAD

• EMAIL WIRETAPPINGEMAIL WIRETAPPING

• I BET YOU DIDN’T KNOW…I BET YOU DIDN’T KNOW…

• RULES OF ENGAGEMENTRULES OF ENGAGEMENT

• THE FUTURE IS ‘P3P’THE FUTURE IS ‘P3P’

WHAT IS A WEB BUG ?WHAT IS A WEB BUG ?

PRIVACY FOUNDATION DEFINITIONA Web bug is a graphic on a Web page or in an Email message that is designed to monitor who is reading the Web page or Email message. Web bugs are often invisible because they are typically only 1-by-1 pixel in size. They are represented as HTML IMG tags.

DOUBLECLICK DEFINITION “A clear GIF [Graphics Interchange Format] or pixel tag [also known as a 'web beacon'] is a

line of code that companies place on their web sites which allows us to help them analyze their advertising campaigns and the general usage patterns of visitors to their web sites”

WHERE THEY DIFFER“……Clear GIFs and pixel tags are sometimes erroneously called 'web bugs.' While clear GIFs and

pixel tags do not cause any damage to your computer, 'web bugs,' often written in JavaScript, contain executable files, and may cause harm to your software or computer”

WHY BUG? ”The word "bug" is being used to denote a small, eavesdropping device” Source: http://www.Privacyfoundation.org

HOW THEY WORKHOW THEY WORK

THIS IS A DOUBLECLICK (sic) ‘ WEB BUG’

http://ad.doubleclick.net/activity;src=468413;type=pgvw;cat=x15prod;ord="+ord;document.writeln('<img src="' + spotlighttag + '?" WIDTH=1 HEIGHT=1 BORDER=0>');

http://www.theflyshop.com/

WHAT THEY LIKE TO EATWhen a web page is loaded the tag is activated and it reads the cookie file in the browser and

passes back to its server the following information:

• IP address of the computer that fetched the Web bug• URL of the page that the Web bug is located on• URL of the Web bug image• Time the web bug was viewed• Type of browser that fetched the Web bug image• A previously set cookie value

USES OF WEB BUGSUSES OF WEB BUGS

• Ad networks can use Web bugs to add information to a personal profile of what sites a person is visiting. The personal profile is identified by the browser cookie of an ad network. At some later time, this personal profile which is stored in a data base server belonging to the ad network, determines what banner ad one is shown.

• Another use of Web bugs is to provide an independent accounting of how many people have visited a particular Web site.

• Web bugs are also used to gather statistics about Web browser usage at different places on the Internet.

• BUGNOSIS

WEB BUGS IN EMAIL MESSAGESWEB BUGS IN EMAIL MESSAGES

• A web bug can be used to find out if a particular email message has been read by someone and if so, when the message was read.

• A Web bug can provide the IP address of the recipient if the recipient is attempting to remain anonymous.

• Within an organization, a web bug can give an idea how often a message is being forwarded and read.

• To measure how many people have viewed the same email message in a marketing campaign.

• To detect if someone has viewed a junk email message or not. People who do not view a message are removed from the list for future mailings.

• To synchronize a Web browser cookie to a particular email address. This trick allows a Web site to know the identity of people who come to the site at a later date.

UP CLOSE

EXAMPLE OF AN EMAIL WEB BUG

• Email Web bugs are represented as 1-by-1 pixel IMG tags just like Web bugs for Web pages. However, because the sender of the message already knows your Email address, they also include the Email address in the Web bug URL. The Email address can be in plain text or encrypted.

<img width='1' height='1' src="http://www.m0.net/m/logopen02.asp?vid=3&catid=370153037&email=SMITHS %40tiac.net" alt=" ">

EMAIL VENDORS KNOWN TO USE WEB BUGS• Exactis • Digital Impact • Responsys

EMAIL WIRETAPPINGEMAIL WIRETAPPING

 This exploit allows someone to surreptitiously monitor written messages attached to

forwarded messages. Some of the possible ways that this exploit might be used include:

Monitoring the path of a confidential e-mail message and written comments attached.

In a business negotiation conducted via e-mail, one side can learn inside information from the other side as the proposal is discussed through the recipient company's internal e-mail system.

 A bugged e-mail message could capture thousands of e-mail addresses as the forwarded message is sent around the world.

Commercial entities, particularly those based offshore, may seek to offer e-mail wiretapping as a service.

SEGWAY TO VAGUELY RELATED SEGWAY TO VAGUELY RELATED TOPICTOPIC

• Commercial surveillance- DONE

• Unscrupulous surveillance- DONE

• Workplace surveillance-NOT DONE

 I BET YOU DIDN’T KNOW…I BET YOU DIDN’T KNOW…

"More than three-quarters of major U.S. firms (77.7 percent) record and review employee communications and activities on the job, including phone calls, e-mail, Internet connections, and computer files."

Source: American Management Association (AMA) survey of "Workplace Monitoring & Surveillance 2001”

 

   

But during the 9-5 workday…• 70% of all Internet pornography traffic occurs (source: SexTracker).• 30 to 40% of Internet surfing is not business-related (source: IDC).• More than 60% of online purchases are made (source: Nielsen//NetRatings). 

 

THE RULES OF ENGAGEMENTTHE RULES OF ENGAGEMENT

EMPLOYERS ARE NOT REQUIRED BY LAW TO DISCLOSE: • The frequency of the monitoring. • The information to be monitored.• How the information will be stored used and disclosed in the future. • The law places no limitation on how employers use the fruits of their surveillance,• Employees have no right to review stored e-mail and Web visits. • If employers choose to ignore the law and not inform employees of the monitoring, the most

severe penalty for a first offender is an administrative penalty of $500;    THEM AND US “Employers would be well advised to disclose to employees what is being monitored and why.

Employees, meanwhile, should make it their business to learn which monitoring systems are in place, and what the capabilities are”

 Source: http://www.Privacyfoundation.com

THE FUTURE IS ‘P3P’THE FUTURE IS ‘P3P’

• The Platform for Privacy Preferences Project (P3P),has created set of criteria for sites that set cookies on users. Third party cookies with policies will be evaluated by the user's browser to determine whether they meet user preferences, and hence be accepted.

• P3P's Full Policy and Compact Policy:

A "Full" P3P policy is a detailed XML document that completely describes all data collection practices for a site. In addition to Full Policies, sites are able to communicate their policies with regard to only cookie data through a mechanism called a Compact Policy. A Compact Policy is a custom HTTP header that is sent at the time a cookie is set. The Compact Policy, CP, uses a sequence of approximately 52 tokens to summarize a site's policy with regard to that cookie. Owing to CPs condensed nature they are far easier for Web Browsers to interpret and make decisions upon than are Full Policies.

• Internet Explorer 6.0 will require third parties that set cookies to deliver p3p "compact cookie policies" with their cookies. Third party cookies that do not have policies will be blocked.